# uname -r
5.11.0-34-generic
# sudo keyctl list %:.platform
3 keys in keyring:
149920180: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA
2011: a92902398e16c49778cd90f99e4f9ae17c55af53
434591909: ---lswrv 0 0 asymmetric: Canonical Ltd. Master Certificate
Authority: ad91990bc22ab1f517048c23b6655a268e345a63
404799886: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011:
13adbf4309bd82709c8cd54f316ed522988a1bd4
# sudo keyctl list %:.blacklist | grep bin: | wc
79 474 8854
# sudo keyctl list %:.blacklist | grep Canonical
1050199374: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot
Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0
dmesg
[ 1.074086] blacklist: Loading compiled-in revocation X.509 certificates
[ 1.074714] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing:
61482aa2830d0ab2ad5af10b7250da9033ddcef0'
[ 1.084216] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar
table)
[ 1.085028] integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate
Authority: ad91990bc22ab1f517048c23b6655a268e345a63'
MOKvar is available, and used to load Master CA into .platform keyring,
and hashes into blacklist keyring.
** Tags removed: verification-needed-hirsute
** Tags added: verification-done-hirsute
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1928679
Title:
Support importing mokx keys into revocation list from the mok table
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
New
Status in linux source package in Bionic:
New
Status in linux source package in Focal:
New
Status in linux source package in Hirsute:
Fix Committed
Bug description:
[Impact]
* Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx)
which revokes many Ubuntu kernel hashes and 2012 signing key.
* Kernel should import those into it's %:.blacklist keyring such that
it prohibits signed kexec of the revoked kernels.
* v5.13-rc1 kernel has learned how to import mokx and how to import
full certs into the %:.blacklist keyring.
* However, it only does so by reading MokListXRT efi variable.
* Due to the large size of Ubuntu's vendor-dbx, shim does not create
MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2
MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also
exposes MokListXRT via mokvar table, which is easier to parse and
contains all the revocations in full. Kernel needs a patch to read
MokListXRT via mokvar table.
* We have two options on how to proceed from here, either we include
the same hashes and certs as our vendordbx in in the kernel as
revocation list, or we fix kernel to read MokListXRT via mokvar table
* The above is known as CVE-2020-26541
* Separately it would be nice to add informational dmesg messages
when revoking signing certificates, as a good indication that signing
key rotation events have happened and have been applied correctly.
[Test Plan]
* Boot kernel with 15.4 based Ubuntu shim
* Install keyutils package
* Execute $ sudo keyctl list %:.blacklist it should list in exccess
of 300+ hash entries. It also must list assymetric Canonical signing
key from 2012.
* Separately check dmesg to observe that asymmetric canonical signing
key from 2012 is revoked.
[Where problems could occur]
* EFI variable storage can be full thus preventing shim to mirror
efivars and the moktable. On decent hardware this should not happen,
but has been observed to be corrupted on some older EDKII based OVMF
instances with small EFI variable storage space (pre-4MB).
[Other Info]
* The patches to fix the above have been submitted upstream
https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/
https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.led...@canonical.com/
This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE
kernel, until accepted upstream.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
